rpms
/
checkpolicy
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Rebuild with fixed libsepol

This commit is contained in:
Dan Walsh 2013-01-05 07:09:43 -05:00
parent aa082595d2
commit c662668dab
2 changed files with 155 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
checkpolicy-rhat.patch
View File

@ -1,33 +1,165 @@
diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
index 47603e0..cb58cf0 100644
--- a/checkpolicy/checkmodule.c
+++ b/checkpolicy/checkmodule.c
@@ -63,10 +63,12 @@ static int read_binary_policy(policydb_t * p, char *file, char *progname)
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n",
file, strerror(errno));
+ close(fd);
return -1;
}
map =
mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+ close(fd);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno));
return -1;
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 8fa3214..2c12447 100644
index 2c12447..5db1bca 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2341,7 +2341,10 @@ int define_role_trans(int class_specified)
@@ -415,6 +415,38 @@ int define_default_role(int which)
return 0;
}
+int define_default_type(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_type && cladatum->default_type != which) {
+ yyerror2("conflicting default type information for class %s", id);
+ return -1;
+ }
+ cladatum->default_type = which;
+ free(id);
+ }
+
+ return 0;
+}
+
int define_default_range(int which)
{
char *id;
@@ -2777,6 +2809,7 @@ int define_constraint(constraint_expr_t * expr)
}
if (!node->expr) {
yyerror("out of memory");
+ free(node);
return -1;
}
node->permissions = 0;
@@ -3068,13 +3101,11 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
ebitmap_destroy(&negset);
return (uintptr_t) expr;
default:
- yyerror("invalid constraint expression");
- constraint_expr_destroy(expr);
- return 0;
+ break;
}
- ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE);
+ if (ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE)) {
yyerror("invalid constraint expression");
- free(expr);
+ constraint_expr_destroy(expr);
return 0;
}
@@ -3281,6 +3312,7 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
return expr;
default:
yyerror("illegal conditional expression");
+ free(expr);
return NULL;
}
}
@@ -4627,7 +4659,10 @@ int define_range_trans(int class_specified)
goto out;
}
- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
+ if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ return -1;
+ goto out;
+ }
}
id = (char *)queue_remove(id_queue);
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index ccbe56f..8bfd8f6 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -26,6 +26,7 @@ int define_category(void);
int define_class(void);
int define_default_user(int which);
int define_default_role(int which);
+int define_default_type(int which);
int define_default_range(int which);
int define_common_perms(void);
int define_compute_type(int which);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index d92cc32..b40f413 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -143,7 +143,7 @@ typedef int (* require_func_t)();
%token POLICYCAP
%token PERMISSIVE
%token FILESYSTEM
-%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
%token LOW_HIGH LOW HIGH
%left OR
@@ -202,9 +202,11 @@ opt_default_rules : default_rules
;
default_rules : default_user_def
| default_role_def
+ | default_type_def
| default_range_def
| default_rules default_user_def
| default_rules default_role_def
+ | default_rules default_type_def
| default_rules default_range_def
;
default_user_def : DEFAULT_USER names SOURCE ';'
@@ -217,6 +219,11 @@ default_role_def : DEFAULT_ROLE names SOURCE ';'
| DEFAULT_ROLE names TARGET ';'
{if (define_default_role(DEFAULT_TARGET)) return -1; }
;
+default_type_def : DEFAULT_TYPE names SOURCE ';'
+ {if (define_default_type(DEFAULT_SOURCE)) return -1; }
+ | DEFAULT_TYPE names TARGET ';'
+ {if (define_default_type(DEFAULT_TARGET)) return -1; }
+ ;
default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
{if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
| DEFAULT_RANGE names SOURCE HIGH ';'
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 62d03f0..bba7667 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -229,6 +229,8 @@ default_user |
DEFAULT_USER { return(DEFAULT_USER); }
default_role |
DEFAULT_ROLE { return(DEFAULT_ROLE); }
+default_type |
+DEFAULT_TYPE { return(DEFAULT_TYPE); }
default_range |
DEFAULT_RANGE { return(DEFAULT_RANGE); }
low-high |
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 6a951f6..96ef047 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -844,7 +844,10 @@ int main(int argc, char **argv)
/* read the binary policy */
fprintf(out_fp, "Reading policy...\n");
- policydb_init(&policydb);
+ if (policydb_init(&policydb)) {
+ fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
+ exit(1);
+ }
if (read_policy(argv[1], &policydb)) {
fprintf(stderr,
"%s: error(s) encountered while loading policy\n",

2
checkpolicy.spec
View File

@ -1,5 +1,5 @@
%define libselinuxver 2.1.11-1
%define libsepolver 2.1.8-2
%define libsepolver 2.1.8-5
Summary: SELinux policy compiler
Name: checkpolicy
Version: 2.1.11